PGP 5.0 Instruction Manual
Pretty Good Privacy™
PGP for Personal Privacy, Version 5.0
For the Mac OS
User’s Guide
PGP
™, Inc.
© 1997 by Pretty Good Privacy, Inc . All rights reserved.
5-97. Printed in the United Stat es of America.
PGP for Personal Privacy, Version 5.0
Record the serial number from your License Agreement in the space provided below:
Copyright © [1990], 1997 by Pretty Good Privacy, Inc. All Rights Reserved.
PGP, Pretty Good, and Pretty Good Privacy are registered trademarks of Pretty Good Privacy, Inc. All other
trademarks and registered trademarks are the property of their respective owners.
Pretty Good Privacy, Inc. may have patents and/or pending patent applications covering subject matter
in this document. The furnishing of this document or the software does not give you any license to these
patents.
PGP uses public key algorithms described in U.S. Paten t numbers 4,200,770, 4,218,582, 4,405,829, and
4,424,414, licensed exclusively by Public Key Partners.
PGP uses the IDEA cryptographic cipher described in U.S. Patent number 5,214,703 and is licensed from
Ascom Tech AG. IDEA
The compression code in PGP is by Mark Adler and Jean-loup Gailly, taken with permission from the free
Info-ZIP implementation.
LBalloonTracker is © 1996-1997 Corporate Software & Technologies Int. Inc. (CS&T). Permission is granted for use of LBalloonTracker free of charge, other than acknowledgement of Paul Lalonde and CS&T in
any program using LBalloonTracker (perhaps in an About box or in accompanying documentation).
is a trademark of As c o m T ec h , AG .
The software provided with this documentation is licensed to you for your individual use under the terms
of the End User License Agreement and Limited Warranty provided with the software. The information in
this document is subject to change without notice. Pretty Good Privacy, Inc. does not warrant that the information meets you requirements or that the information is free of errors. The information may include
technical inaccuracies or typographical errors. Changes may be made to the inf ormation and in corporated in new editions of this document, if and when made available by Pretty Good Privacy, Inc.
Export of this software and documentation may be subject to compliance with the rules and regulations
promulgated from time to time by the Bureau of Export Administration, U nited States Department of Commerce, which restrict the export and re-export of certain products and technical data.
PRETTY GOOD PRIVACY, INC.
2121 South El Camino Real, Suite 902
San Mateo, C A 94403
(415) 631-1747
(415) 572-1932 fax
info@pgp.com
http://www.pgp.com
LIMITED WARRANTY. Pretty Good Privacy, Inc. warrants that the Softwarewill perform substantially in accordance with the written materials in this package for a period of 90 days from the date of original purchase.
Pretty Good Privacy, Inc.'s entire liability and yo ur exclusive remedy shall be, at Pret ty Good Privacy, Inc.'s
option, either (a) return of the purchase price paid for the license or (b) repair or replacement of the Software
that does not meet Pretty Good Privacy, Inc.'s limited warranty and which is returned at your expense to Pretty
Good Privacy, Inc. with a copy of your receipt. This limited warranty is void if failure of the Software has resulted from accident, abuse, or misapplication. Any repaired or repl ac ement Software will be warranted fo r
the remainder of the original warranty period or 30 days, whiche v er is lo nger.
IF THE SOFTWARE IS EXPORT CONTROLLED (SEE BELOW), THESE REMEDIES ARE NOT AVAILABLE OUTSIDE THE UNITED STATES OF AMERICA. NO OTHER WARRANTIES. EXCEPT FOR THE
WARRANTIES SET FORTH HEREIN, THE SOFTWARE AND DOCUMEN TATION ARE PROVIDED "AS IS"
AND PRETTY GOOD PRIVACY, INC. DISCLAIMS ALL OTHER WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE, CONFORMANCE WITH DESCRIPT ION, AND NON-INFRINGEMENT
OF THIRD PARTY RIGHTS. THIS LIMITED WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU
MAY HAVE OTHERS, WHICH VARY FROM STATE TO STATE. LIMITATION OF LIABILITY. PRETTY
GOOD PRIVACY, INC.'S CUMULATIVE LIABILITY TO YOU OR ANY OTHER PARTY FOR ANY LOSS OR
DAMAGES RESULTING FROM ANY CLAIMS, DEMANDS OR ACTIONS ARISING OUT OF OR RELATING
TO THIS AGREEMENT SHALL NOT EXCEED THE PURCHASE PRICE PAID FOR THE LICENSE. IN NO
EVENT SHALL PRETTY GOOD PRIVACY, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL OR EXEMPLARY DAMAGES OR LOST PROFITS WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS
INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR OTHER PECUNIARY LOSS) ARISING OUT
OF THE USE OR INABILITY TO USE THE SOFTWARE, EVEN IF PRETTY GOOD PRIVACY, INC. HAS
BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME STATES DO NOT ALLOW
THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES,
THE ABOVE LIMITATION MAY NOT APPLY TO YOU.
This book was written by Mike Iannamico
special thanks to Gail Kesner Haspert
Contents
Table of Contents
Table of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Chapter 1: Introducing PGP for Personal Privacy . . . . . . . . . . . . . . . . . . . . . . . 1
A Quick Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Create a Private and Public Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Exchange Public Keys with Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Certify and Validate Your Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Encrypt and Sign Your E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Decrypt and Verify Your E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
About This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Chapter 2: Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Compatibility with Other Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Upgrading from a Previous Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Installing PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Running PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Using PGP from the PGPmenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Using PGP from Supported e-mail Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Using PGP from the PGPtools Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Selecting Recipients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
PGP for Personal Privacy, Version 5.0 User’s Guide for the Mac OS v
Taking Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 3: Making and Exchanging Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Key Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Making a Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Protecting Your Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Distributing Your Public Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Making your Public Key Available Through a Key Server . . . . . . . . . . . . . . . . . . . . 28
Including your Public Key in an e-mail Message . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Exporting your Public Key to a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Obtaining the Public Keys of Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Getting Public Keys from a Key Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Adding Public Keys from e-mail Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Importing a Public Key from a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Verifying the Authenticity of a Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Chapter 4: Sending and Receiving Private E-mail. . . . . . . . . . . . . . . . . . . . . . 37
Encrypting and Signing E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Encrypting and Signing with Supported e-mail Applications . . . . . . . . . . . . . . . . . . 38
Encrypting and Signing with PGPmenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Encrypting and Signing from PGPtools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Decrypting and Verifying E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Decrypting and Verifying from Supported e-mail Applications . . . . . . . . . . . . . . . . 48
Decrypting and Verifying from PGPmenu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Decrypting and Verifying from PGPtools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Chapter 5: Managing Keys And Setting Preferences. . . . . . . . . . . . . . . . . . . . 55
Managing Your Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
The PGPkeys Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Examining a Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
vi Contents
Getting Detailed Information About a Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Specifying a Default Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Adding a New User Name or Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Checking a Key’s Fingerprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Signing Someone’s Public Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Granting Trust for Key Validations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Disabling and Enabling Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Deleting a Key or Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Changing your Passphrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Importing and Exporting Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Revoking a Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Setting Your Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
General Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Key Files Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
E-mail Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
PGPmenu Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Key Server Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Chapter 6: Security Features and Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . 77
Why I wrote PGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Encryption Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Beware of Snake Oil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Recommended Introductory Readings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Other Readings: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Glossary of Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
PGP for Personal Privacy, Version 5.0 User’s Guide for the Mac OS vii
viii Contents
Chapter 1
Introducing PGP for Personal Privacy
With PGP™ for Personal Privacy, you can easily protect the privacy of
your e-mail messages and file attachments by encrypting them so that
only those with the proper authority can decipher the information. You
can also digitally sign the messages and files you exchange, which
ensures that they have come from the person who allegedly sent them
and that the information has not been tampered with in any way while
in transit.
Here are some of the features offered by PGP 5.0:
• Widely-trusted encryption and decryption incorporating maximumstrength cryptographic technologies
• Digital signature and verification for certifying messages and files
• Quick access to all functions from easily selectable menu items
• Integrated plug-in support for popular e-mail applications
• Implementation of PGP/MIME for quick encryption and decryption
of messages and file attachments when sendi ng and r ecei ving e-mai l
• Simple key generations with up to 4096-bit keys and support for
multiple key formats (RSA and DSS/Diffie-Hellman)
• Sophisticated key management with graphical representations of
key properties
PGP for Personal Privacy, Version 5.0 User’s Guide for the Mac OS 1
• Integrated support for distributing and retrieving keys from public
key servers
NOTE:
If you are running the DSS/Diffi e-Hellman version of PGP for Person al
Privacy, it does not generate keys using the RSA algorithm nor does it
encrypt, decrypt, sign, or verify using RSA keys. If you find that you
need to generate keys or otherwise use the RSA algorithm, see the vendor from whom you bough t your PGP product.
The most convenient way to use PGP is through one of the popular email applications supported by the plug-ins. This allows you to encrypt
and sign as well as decrypt and verify your messages while you are
composing and reading your mail. In addition, if you are
communicating with another PGP user who is using an e-mail
application that adheres to the PGP/MIME standard, you can perform
all of the PGP functions on both your messages and any file attachments
by simply clicking a button when sending or receiving your e-mail.
If you are using an e-mail application that is not supported by the plugins, you can easily transfer the text of your e-mail messages to the
Clipboard and perform the necessary PGP functions from there.
A Quick Overview
PGP is based on a widely accepted encryption technology known as
“public key cryptography” in which two complementary keys are used
to maintain secure communications. One of the keys is a private key to
which only you have access and the other is a public key which you
freely exchange with other PGP users. Both your private and public keys
are stored in keyring files which are accessible from the PGPkeys
window in which you perform all your key management functions.
To send someone a private e-mail message, you use a copy of that
person’s public key to encrypt the information, which only they can
decipher by using their private key. Conversel y, when someone wants to
send you encrypted mail, they use a copy of your public key to encrypt
the data, which only you can decipher by using your private key.
You also use your private key to sign the e-mail you send to others. The
recipients can then use their copy of your public key to determine i f you
really sent the e-mail and whether it has been altered while in transit.
2 Chapter 1: Introducing PGP for Personal Privacy
When someone sends you e-mail with their digital signature, you use a
copy of their public key to check the digital signature and to make sure
that no one has tampered with the contents.
With PGP you can easily create and manage your keys and access all of
the functions for encrypting and signing as well as decrypting and
verifying your e-mail messages and file attachments.
The following section provides a quick run-through of the procedures
you normally follow in the course of using PGP.
Create a Private and Public Key Pair
Before you can begin using PGP, you need to generate a key pair
consisting of a private key to which only you have access and a public
key that you can copy and make fr eely avail able to everyone with whom
you exchange e-mail. After you install PGP and have restarted your
computer, you can them run PGPkeys and create a new keypair.
Exchange Public Keys with Others
After you have created a key pair, you can begin corresponding with
other PGP users. To do so, you will need a copy of their public key and
they will need a copy of your public key. Since your public key is just a
block of text, it is really quite easy to trade keys with someone. You can
either include your public key in an e-mail message, copy it to a file or
you can post it on a public key server where anyone can get a copy when
they need it.
Certify and Validate Your Keys
Once you have a copy of someone’s public key, you can add it to your
public keyring. You should then check to make sure that the key has not
been tampered with and that it really belongs to the purported owner.
You do this by comparing the unique “fingerprint” on your copy of
someone’s public key to the fingerprint on their key. When you are sure
that you have a valid public key, you sign it to indicate that you feel the
key is safe to use. In addition, you can grant the owner of the key a lev el
of trust indicating how much confidence you have in them to vouch for
the authenticity of someone else’s public key.
PGP for Personal Privacy, Version 5.0 User’s Guide for the Mac OS 3
Encrypt and Sign Your E-mail
After you have generated your key pair and have exchanged public
keys, you can begin encrypting and signing e-mail messages and file
attachments.
• If you are using an e-mail applicat ion supported by the plug-i ns, you
can encrypt and sign your messages by selecting the appropriate
options from your application’s tool bar. In addition, if you are
communicating with other PGP users who are using an e-mail
application that adheres to the PGP/MIME standard, you can
encrypt and sign messages as well as file attachments automatically
when you send your mail.
• If your e-mail application is not supported by the plug-ins, you can
use PGPmenu or PGPtools to encrypt your e-mail messages and file
attachments.
Decrypt and Verify Your E-mail
When someone sends you encrypted e-mail, you can unscramble its
contents and verify any appended signature to make sure that the data
originated with the alleged sender and that its contents have not been
altered.
• If you are using an e-mail application that is supported by the plugins, you can decrypt and verify your messages by selecting the
appropriate options from your application’s tool bar. In addition, if
your e-mail application supports the PGP/MIME standard, you can
decrypt and verify messages and file attachments sent using this
format by clicking on an icon when reading your mail.
• If your e-mail application is not supported by the plug-ins, you can
use PGPmenu or PGPtools to decrypt and verify your e-mail
messages and file attachments.
4 Chapter 1: Introducing PGP for Personal Privacy
About This Manual
This manual is organized in the following manner:
Chapter 1
Describes the purpose of the program, delves into the concept of public
key encryption and digital signatures and provides a quick overview of
how you will use the program.
Chapter 2
Runs through the steps needed to install and run the PGP program with
a brief discussion of the main components and primary functions.
Chapter 3
Explains how to generate your private and public key pair and de scribes
the methods for exchanging, protecting and authenticating keys.
Chapter 4
Explains how to send and receive e-mail messages and file attachments
depending on the type of e-mail application you and the recipients of
your e-mail are using.
Chapter 5
Explains how to examine and alter a key’s attributes and how to
establish preferences for the PGP program.
Introducing PGP for Personal Privacy
Getting Started
Making and Exchanging Keys
Sending and Receiving Private e-mail
Managing Keys And Setting Preferences
Chapter 6
This chapter is provided by Phil Zimmermann. It describes the basic
concepts behind public key encryption and elaborates on some of the
vulnerabilities.
PGP for Personal Privacy, Version 5.0 User’s Guide for the Mac OS 5
Security Features and Vulnerabilities
6 Chapter 1: Introducing PGP for Personal Privacy
Chapter 2
Getting Started
This chapter explains how to run PGP and provides a quick
overview of the procedures you will normally follow in the course
of using the product. Based on this information, you will have a
fairly good understanding of how to use PGP which should be
especially appreciated by those who don’t want to read through
the entire manual before beginning to use the product.
System Requirements
• Macintosh II or later model with 68020 or above
• System software 7.5 or later
• 8 MB RAM
• 10 MB hard disk space
• 68K Macs must be running Apple’s CFM 68K 4.0 or above. The PGP
installer will install this if necessary.
Compatibility with Other Versions
PGP has gone through many revisions since it was released by Phil
Zimmermann as a freewar e pr oduct b ack in 1991, and it is estima ted that
there are now over 2 million copies in circulation. Although this version
of PGP represents a significant rewrite of the original program and
incorporates a completely new user interface, it has been designed to be
PGP for Personal Privacy, Version 5.0 User’s Guide for the Mac OS 7
compatible with earlier versions of PGP. This means that you can
exchange secure e-mail with those who are still using these older
versions of the product:
PGP 2.6 (Released by MIT)
PGP 4.0 (Released by ViaCrypt)
PGP 4.5 (Released by PGP, Inc.)
Along with the new user interface and other improvements, one of the
distinct differences between this version of PGP and its predecessors is
the ability to generate a new type of key. In addition to the RSA keys
used by previous versions, PGP for Personal Privacy, Version 5.0 gives
you the option of using keys based on the DSS/Diffie-Hellman
encryption and digital signature technologies. Although the DSS/DiffieHellman keys are pr ovided as an alt ernative t o the traditiona l RSA keys,
you can take advantage of these newer keys only if you are exchanging
e-mail with another user who is using one of the newer versions of PGP
which is capable of recognizing these new keys.
Considering that it will take a while befor e the DSS/Dif fie-Hellman keys
gain widespread use in the user community, you will probably want to
reserve a set of RSA keys so that you can continue to communicate with
those who have earlier versions of PGP. If you are encrypting e-mail to
multiple recipients, where some have RSA keys and others have DSS/
Diffie-Hellman keys, the e-mail will be encrypted using the appropriate
type of key for each individual. However, in order for users of older
versions of PGP to handle “mixed” public key e-mail, they must
upgrade their versions of PGP.
Another improvement in this version of PGP is the implementation of
the PGP/MIME standard for some of the plug-ins that integrate PGP
functions directly into popular e-mail applications. If you are using an
application such as Eudora, you will be able to take advantage of this
emerging standard, which lets you encrypt and sign as well as decrypt
and verify your e-mail messages and file attachments automatically
when you send or receive e-mail. However, you should only send this
kind of e-mail to those who are also using PGP with an e-mail
application which adheres to the PGP/MIME standard.
8 Chapter 2: Getting Started
Upgrading from a Previous Version
If you are upgrading from a previous version of PGP (from either PGP,
Inc. or ViaCrypt) you may want to remove the old program files before
installing PGP to free-up some disk space. However, you should be
careful not to delete the private and public keyring files used to store
any keys you have created or collected while using the previous versi on.
When you install PGP you are given the option of retaining your
existing private and public keyrings so you won’t have to go through the
trouble of importing all of your old keys. You must copy your old
keyring into the PGP keyrings folder to save them for future use.
Installing PGP
To Install PGP from a CD ROM
1. Start your Macintosh.
2. Insert the CD ROM.
3. Run the Installer.
4. Follow the on-screen prompts.
To Install PG P fr om PG P’s Web Site
1. Download the PGP program onto your computer’s hard drive.
2. Double-click the PGP installation program icon.
3. Follow the on-screen prompts.
Running PGP
PGP works on the data generated by other applications. As such, the
appropriate PGP functions are designed to be immediately available to
you based on the task you are performing at any given moment. There
are three primary ways to use PGP:
• From the PGPmenu
• From within supported e-mail applications
PGP for Personal Privacy, Version 5.0 User’s Guide for the Mac OS 9
• From the PGPtools window
Using PGP from the PGPmenu
You can perform most PGP functions from the Finder or from within
most applications by choosing the appropriate options from the
PGPmenu icon in the menubar. This feature provides immediate access
to the PGP functions regardless of which application you are using and
is especially useful if you are using an e-mail application that is not
supported by the PGP plug-ins.
While using e-mail or other text-based applications, you can encrypt and
sign and decrypt and verify text by selecting the appropr iate options
from the pull-down menu. While using the Finder, you can encrypt and
sign and decrypt and verify files and even entire folders.
(If you cannot find this icon in one of your applicati ons, you need to add
the application from the PGPmenu pane of the Prefer ences dial og box in
the PGPkeys application).
Opening the PGPkeys Application
By choosing PGPkeys from the PGPmenu or from the PGP folder, you
open the PGPkeys window that shows the private and public key pairs
you have created for yourself as well as any publi c keys you have a dded
to your public keyring. (If you have not already created a new key pair,
the PGP Key Generation Wizard leads you through the steps necessary
to create a new key pair. However, before going through the process of
creating a new key pair, you should see Chapter 3 for complete details
regarding the various options.)
10 Chapter 2: Getting Started
From the PGPkeys window you can create new key pairs and manage all
of your other keys. For instance, this is where you examine the attributes
associated with a particular key, specify how confident you are that the
key actually belongs to the alleged owner, and indicate how well you
trust that person to vouch for the authenticity of other user’s keys. For a
complete explanation of the key management functions you perform
from the PGPkeys window, see Chapter 5.
Setting Preferences
By choosing the Preferences option from the Edit menu in PGPkeys, you
can access the Preferences dialog box where you specify settings which
affect how PGP functions.
PGP for Personal Privacy, Version 5.0 User’s Guide for the Mac OS 11
By clicking on the appropriate tab, you can advance to the preference
settings you want to modify. For a complete explanation of these
settings, see Chapter 5.
Getting Help
By choosing the PGP Help option when using PGPkeys or PGPtools
from the Apple Guide menu on the menu bar, you can access the PGP
help system which provides a general overview and instructions for all
of the procedures you are likely to perform.
Using PGP from Supported e-mail Applications
If you have one of the popular e-mail applica tions supported by the PGP
plug-ins, you can access the necessary PGP functions by clicking the
appropriate buttons in your application’s icon bar. For example, you
click the lock icon to indicate that you want to encrypt your message and
the quill icon to indicate that you want to sign it. You then send your
mail the way you normally do
.
When you receive e-mail from another PGP user, you decrypt the
message and verify the person’s digital signature.
To make things even simpler, if you are exchanging e-mail with another
party who is also using PGP and an e-mail application which adher es to
the PGP/MIME standard, both of you can automatically encrypt and
decrypt your e-mail messages and any attached files when you send or
12 Chapter 2: Getting Started
retrieve your mail. All you have to do is turn on the PGP/MIME
encryption and signatory functions from the PGP Preferences dialog
box.
When you receive e-mail from someone who uses the PGP/MIME
feature, the mail arrives with an icon in the message window indicating
that it is PGP/MIME encoded.
When you receive PGP/MIME encapsulated mail, all you need do to
decrypt its contents is to double-click the lock icon and to verify
signatures, double-click the quill icon.
Using PGP from the PGPtools Window
If you are using an e-mail application which is not supported by the
plug-ins or if you want to perform PGP functions from within other
applications, you can encrypt and sign or decprypt and verify messages
and files directly from the PGPtools window. You open the PGPtools
window by several means:
• Open the PGP folder and double-click the PGPtools icon.
• Store an alias of PGPtools in the Apple menu, and select PGPtools
from that menu. You can also store an alias on your desktop. You
then double-click on the alias to open PGPtools.
PGP for Personal Privacy, Version 5.0 User’s Guide for the Mac OS 13
When the PGPtools window appears, you can begin your encryption
work.
If you are working with text, you perform your encryption/decryption
and signature/verification functions by selecting the text then dragging
it onto the appropriate button in the PGPtools window.
If you are working with files, you can simply drag them to the
appropriate button where the function is performed.
Selecting Recipients
When you send e-mail to someone whose e-mail application is
supported by the PGP plug-ins, the recipient’s e-mail address
determines which keys to use when encrypting the contents. However , if
you enter a user name or e-mail address that does not corre spond to any
14 Chapter 2: Getting Started
of the keys on your public keyring or if you are encrypting from
PGPmenu or PGPtools, you must manually select the recipient’s public
key from the Key Selection Dialog box.
All you need do to select a recipient’s public key is to drag the icon
representin g their key into the Recipient’s list box and then click OK. For
complete instructions on how to encrypt and sign and decrypt and
verify e-mail, see Chapter 4.
Taking Shortcuts
While you will find that PGP is quite easy to use, a number of shortcuts
are available to help you accomplish your encryption tasks even quicker.
You can drag a file containing a key into the PGPkeys window to add it
to your key ring. These keyboard shortcuts are shown on all of the PGP
menus and other shortcuts are described in their proper context
throughout this manual.
PGP for Personal Privacy, Version 5.0 User’s Guide for the Mac OS 15
16 Chapter 2: Getting Started
Chapter 3
Making and Exchanging Keys
This chapter describes how to generate the private and public key
pairs that you need to correspond with other PGP users. It also
explains how to distribute your public key and obtain the public
keys of others so that you can begin exchanging private and
certified e-mail.
Key Concepts
PGP is based on a widely accepted and highly trusted “public key
encryption” system by which you and other PGP users generate a key
pair consisting of a private key and a public key. As its name implies,
only you have access to your private key, but in order to correspond with
other PGP users, you need a copy of their public key and they need a
copy of your public key. You use your private key to sign the
messages and file attachments you send to others and to decrypt the
messages and files they send to you. Conversely, you use the public keys
of others to send them encrypted mail and to verify their digital
signatures.
e-mail
NOTE:
PGP for Personal Privacy, Version 5.0 User’s Guide for the Mac OS 17
Without going into too much technical detail, you might be interested to
know that it is not actually the content of the
using the public key encryption scheme. Instead, the data is encrypted
using a much faster single-key algorithm, and it is this single key that is
actually encrypted using the recipients public key. The recipient then
uses their private key to decry pt this k ey, which allows them to decipher
the encrypted data.
e-mail
that is encry pted
Your private key is also used to sign the contents of a given
e-mail
message or file attachment. Anyone who has a copy of your public key
can check your digital signature to confirm that you are the originator of
the mail and that the contents have not been altered in any way during
transit. In the same way, if you want to verify somebody else’s digital
signature or check the integrity of the
e-mail
they send to you, then you
need a copy of their public key to do so.
This version of PGP supports two distinct types of keys—the RSA key
used in older versions of PGP and a new type of key called DSS/DiffieHellman which is based on the latest advancements in cryptographic
technologies. If you plan to exchange
e-mail
with someone who has
PGP for Personal Privacy, Version 5.0 or later, then you can take
advantage of the new DSS/Diffie-Hellman keys. However, if you are
corresponding with someone who is using a previous version of PGP,
you have to use the traditional RSA keys to communicate with them.
NOTE:
If you are upgrading from an earlier version of PGP, you have probably
already generated a private key and have distributed its matching public
key to those with whom you correspond. In this ca se you don’t have to
make a new key pair (as described in the nex t section). I f you ha ve existing
keys, you can copy them into your PGP keyrings folder after installation.
Making a Key Pair
Unless you have already done so while using another version of PGP,
the first thing you need to do before sendi ng or receiving encrypted and
certified
e-mail
a private key that only you possess and a public key that you freely
distribute to those with whom you correspond.
is create a new key pa ir. A key pair consists of two keys:
18 Chapter 3: Making and Exchanging Keys
To Create a New Key Pair
1. Either choose the PGPkeys option from PGPmenu or double-click on
the PGPkeys icon from the program folder.
The PGPkeys window opens:
2. Choose New Key option from the Keys menu.
The Key Generation W iz ard pr ovides some intr oductory informa tion
on the first screen.
3. When you are through reading this information, click Next to
advance to the next dialog box.
PGP for Personal Privacy, Version 5.0 User’s Guide for the Mac OS 19
The Key Generation Wizard then asks you to enter your user name
and
e-mail
address.
4. Enter your name on the first line and your
second line.
It’s not absolutely necessary to enter your real name or even your
mail
address. However, using your real name makes it easier for
others to identify you as the owner of your public key. Also, by using
your correct
one of a plug-in feature that automatically looks-up the appropriate
key when you address mail to a particular recipient.
5. Click Next to advance to the next dialog box.
e-mail
address, you and others can take advantage of
e-mail
address on the
e-
20 Chapter 3: Making and Exchanging Keys
The Key Generation Wizard then asks you to choose a key type.
6. Select a key type, either DSS/Diffie-Hellman or RSA.
Earlier versions of PGP use an older technology referr ed to as RSA to
generate keys. Beginning with this version of PGP, you have the
option of creating a new type of key based on the newer DSS/DiffieHellman technology.
• If you plan to correspond with individuals who are still using the
older RSA keys, you will probably want to generate an RSA key
pair that is compatible with older versions of the program.
• If you plan to correspond with individuals who have the latest
version of PGP, you can take advantage of the new technology and
generate a pair of DSS/Diffie-Hellman keys.
• If you want to be able to exchange
should make a pair of RSA keys and a pair of DSS/Diffie-Hellman
keys and then use the appropriate set depending on the version of
PGP that is being used by the recipient.
7. Click Next to advance to the next dialog box.
PGP for Personal Privacy, Version 5.0 User’s Guide for the Mac OS 21
e-mail
with all PGP users, you
The Key Generation Wizard asks you to specify a size for your new
keys.
8. Select a key size (from 768 to 3072 ) or enter any custom key size fr om
(from 512 to 4096).
The key size corresponds to the number of bits used to construct
your digital key. The larger the key, the less chance that someone will
ever be able to crack it, but the longer it will take to perform the
decryption and encryption process. You will need to strike a balance
between the convenience of performing PGP functions quickly with
a smaller key and the increased level of security provi ded by a larger
key. Unless you are exchanging extremely sensitive information that
is of enough interest that someone would be willing to mount an
expensive and time consuming cryptographic attack in order to r ead
it, you are probably safe using a key composed of 2048 bits.
NOTE:
When creating DSS/Diffie-Hellman keys, the size of the DSS portion of the key is limited to 1024 bits.
9. Click Next to advance to the next dialog box.
22 Chapter 3: Making and Exchanging Keys
Loading...